npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@stepstitch/tracker

v0.6.0

Published

StepStitch — issue-to-repro infrastructure (not session replay): turns a user-reported problem into scrubbed diagnostics, a replayability score, and a copyable Playwright reproduction, without capturing screens, input values, or page text. Zero runtime de

Downloads

594

Readme

StepStitch

npm CI CodeQL Release License: Apache 2.0 Website

Issue-to-repro infrastructure — not session replay. When a user reports a problem, StepStitch turns that single report into a scrubbed event timeline, structural frontend diagnostics, a replayability score, and a copyable Playwright reproduction — without capturing screens, input values, page text, or raw URLs. Zero runtime dependencies. Built for regulated and quality-focused teams that self-host.

The wedge is deliberate. Session-replay/observability tools (Sentry, LogRocket, FullStory, Datadog) already sell "watch every session." Most engineering teams don't need another recording to watch — they need a user-reported bug that can become a regression test. StepStitch leads with privacy-safe debugging evidence and reproducibility, not analytics.

| | Session-replay / observability | StepStitch | |---|---|---| | Records the user's screen / session | Yes | No, never | | Captures input values, page text, PII | By default (can be configured to reduce) | No — structural evidence only | | What you get out | A session to watch | A runnable Playwright regression test | | Self-hosted, data stays in your boundary | Varies / mostly SaaS | Yes — Apache-2.0, self-hostable | | SDK runtime dependencies | Several | Zero | | Posture for regulated / PII-sensitive teams | Privacy is an opt-in configuration | Privacy is the default and the boundary is the code |

See it: the red-to-green demo — a real bug becomes a failing Playwright test that turns green once the fix lands.

Privacy posture

Borrows the strongest privacy model in the category (Sentry Session Replay's "private by default") — but StepStitch captures structure for reproduction, never a watchable recording:

  • Masks all text by default; opt-in unmask via data-stepstitch-unmask.
  • Never captures input values; hard-skips password / credit-card / [data-sensitive].
  • Blocks media; reduces URLs to route templates (/accounts/:id).
  • Capture is OFF until grantConsent(), and honors GPC / Do-Not-Track.
  • disable() kill switch for incident response.

The redaction guarantees are proven in tests/redaction-proof.test.ts — the artifact to hand a security review.

Enterprise evidence layer (server-side)

The browser SDK redacts in the page, but the backend never trusts the client. The stepstitch_service package (see service/) turns a reported session into privacy-safe support-to-engineering evidence:

  • Server-side scrubber — every ingestion is scrubbed before storage, independent of the SDK. SSNs, card/account numbers, phone, email, dates, long IDs and raw URLs are redacted from free text; routes are re-templated; metadata is strict-allowlisted; and forbidden keys (request/response bodies, console, headers, cookies, screenshots, dom) are dropped. A hand-rolled hostile POST cannot persist NPI. The per-trace scrub report is returned on ingest and stored at trace_metadata._scrub as compliance proof.
  • Replayability score — every trace carries a deterministic 0–1 score + grade + warnings, so support knows whether engineering can actually reproduce it. The compiled Playwright repro leads with that header.
  • Sanitized frontend diagnostics — API failures and frontend exceptions can carry useful structure (status, method, endpoint template, exception type, source path, line, build/release metadata) while raw logs, raw messages, stacks, headers, cookies, bodies, screenshots, page text, input values, and full URLs remain out of the trace.
  • Deployment profilesfinancial-services-enterprise (default), healthcare-strict (free text dropped, forbidden keys reject 422), internal-enterprise, open-source-default. A profile may only tighten the NPI boundary.
  • Financial-services support pack — flat, sanitized ServiceNow incident, Salesforce case, and Genesys support-context drafts built from a structure-derived TraceSummary (never raw footsteps, the explanation, or the user id). Direct system-of-record writes stay behind host governance.
  • Copilot-safe surface — read-only/draft endpoints + an OpenAPI tool pack (copilot/) for a Microsoft Copilot Studio agent. Exposes no delete, retention, kill-switch, raw-read, or direct write. StepStitch is the core; supporting systems (ServiceNow, Salesforce, Genesys workflows) are reached through the agent's native Copilot connectors or governed Power Platform flows, fed by StepStitch's sanitized flat drafts — StepStitch holds no system-of-record credentials and builds no outbound CRM/contact-center send layer. See copilot/SETUP.md.
  • Compliance evidenceCOMPLIANCE-EVIDENCE.md is generated from the live scrub policy (npm run evidence); a drift guard keeps it equal to the code.

Each is proven by the test suite (183 service + 31 host + 22 SDK tests). See contracts/stepstitch.md for the frozen contracts and COMPLIANCE-EVIDENCE.md for the reviewer packet.

Universal agentic connector (MCP)

StepStitch is a capability provider, not an agent orchestrator — it perceives, scores, compiles a Playwright repro, and drafts, but never plans or acts autonomously. Its universal connector is an MCP server (service/stepstitch_service/mcp_server.py, run via mcp_cli.py): the same eight read-only/draft operations, consumable by any MCP client — Microsoft Copilot Studio, OpenAI, Google Vertex, LangGraph, AWS Bedrock, Claude. One server, every agent network; the autonomy stays in the customer's stack. A no-destructive guard runs at import, and the tool set is drift-guarded against the OpenAPI pack and the live routes (service/tests/test_mcp_surface.py). See copilot/MCP-SETUP.md and docs/DEPLOY.md.

Fully open (Apache-2.0)

Everything in this repository is Apache-2.0 — the SDK, the privacy/repro engine, the MCP connector, and the concrete ServiceNow / Salesforce / Genesys adapters. The adapter framework (integrations/base.py: TraceSummary, DraftAdapter, assert_flat) is the single, public extension seam: a host injects adapters via create_stepstitch_router(draft_adapters=...), and anyone can add their own (Jira, Zendesk, …) the same way.

An architecture boundary is still enforced so the design stays clean — the core never imports a concrete adapter, and adapters only ever see the sanitized TraceSummary. This is a layering rule (not a licensing one), proven by service/tests/test_open_core_boundary.py and an .importlinter contract. A future commercially-licensed edition may re-introduce a paid adapter/compliance pack; see COMMERCIAL.md, docs/PRODUCT-PLAN.md, and docs/DEPLOY.md.

Usage

import { StepStitchTracker } from "@stepstitch/tracker"

const tracker = new StepStitchTracker({
  appId: "your-app",
  ingestEndpoint: "/api/stepstitch/v1/session", // same-tenant only
})

// after your consent manager confirms opt-in:
tracker.grantConsent("v1")

// from your own API client (the SDK does NOT patch fetch):
if (!res.ok) tracker.recordApiError(res.status, res.url, "POST")

// from your own frontend error boundary (no raw messages or stacks):
tracker.recordFrontendException("ChunkLoadError", "/static/app-abc123.js", 41, 2)

// from a "Report Bug" control:
const { traceId } = await tracker.submitTrace("Pay button did nothing", projectId)

// SPA route hook:
tracker.recordNavigation()

// teardown / kill switch:
tracker.destroy()
tracker.disable()

Develop

npm install
npm run type-check
npm test          # includes the redaction-proof gate
npm run build

See contracts/stepstitch.md for the frozen wire contract and INCIDENT-RESPONSE.md for the self-host incident-response notes.

Documentation

  • Getting starteddocs/getting-started.md (install → ingest host → first repro)
  • Contributing & governanceCONTRIBUTING.md, GOVERNANCE.md, SECURITY.md
  • Build a connectordocs/connectors.md (the public DraftAdapter SDK + conformance kit)
  • Agent networksdocs/AGENTS.md (MCP, function specs for Hermes/OpenAI, the repro→PR loop)
  • System-of-record integrationsdocs/integrations/servicenow.md, docs/integrations/salesforce.md (incl. the optional governed direct-write)
  • Deploy & releasedocs/DEPLOY.md, RELEASE.md (automated via release-please + publish-on-tag)
  • Pilotdocs/targets/financial-services-pilot.md; status ledger docs/STATUS.md; plan docs/PRODUCT-PLAN.md
  • Product site & buyer pagesstepstitch.vercel.app: the red-to-green demo (generated by demo/README.mdnpm run demo), quickstart, financial-services pilot, privacy vs. replay, and agents & MCP